Mediator monitoring and controlling access to electronic content

ABSTRACT

Methods, systems and apparatuses for a mediator controlling access to an electronic content, are disclosed. One method includes receiving, by a mediator server of a mediator, a second share SK G2  from an owner server, wherein a first share SK G1  is provided to a member server of a member of a group by the owner server. Further, the mediator receives a request for mediation, including the mediator receiving a dispatch of the header of the encrypted electronic content from the member. Further, the mediator determines whether the member is eligible to decrypt the electronic content, if eligible, the mediator responding to the request for mediation with a member accessible header, wherein the member accessible header includes the header after application of SK G2 .

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.13/716,351, filed Dec. 17, 2012, and entitled “Monitoring andControlling Access to Electronic Content”, which is acontinuation-in-part (CIP) of U.S. patent application Ser. No.13/613,080, filed Sep. 13, 2012, and entitled “Providing TrustworthyWorkflow Across Trust Boundaries” which claims priority to U.S.Provisional Patent Application No. 61/598,071, filed Feb. 13, 2012, andentitled “High-Scale and Distributed Business and Consumer Networks,”all of which are incorporated herein by reference.

FIELD OF THE DESCRIBED EMBODIMENTS

The described embodiments relate generally to electronic communicationthrough cloud networks. More particularly, the described embodimentsrelate to methods, systems and apparatuses for a mediator monitoring andcontrolling access to electronic content.

BACKGROUND

A trust boundary in an electronic network is defined as a region withinwhich all computer systems, their operations, and the data are trusted.Typically, a trust boundary is protected by computer security hardwareand software such as firewalls, Virtual Private Networks (VPNs),intrusion detection and prevention systems, data leakage protections,antivirus programs, etc. For example, for an organization, a trustboundary may include an entire data center infrastructure, includingcomputers connected via VPNs. For an individual, a laptop computer couldbe her trust boundary.

Various mechanisms exist today to facilitate secure communicationsbetween trust boundaries. SSL/TLS and IPSec are two examples. Thesemechanisms are intrinsically point-to-point, thus for many-to-manysecure information sharing and collaboration, it will require a worstcase “N-squared messy cross-bar” connectivity for all N trust boundarieswhere every party needs to be able to field electronic communicationsfrom every other party. This can become costly and complex.

On the other hand, Web based technologies, and now cloud computing makeinformation sharing and collaboration increasingly cheaper and easier.In essence, this is a central intermediary based hub-spoke communicationmodel. When it comes to secure sharing, this model requires that thecentral intermediary to be a trusted escrow that must be trusted by allparties across all trust boundaries in the network and that no one inthe network will surreptitiously game the system for their own profit.

Such a blind trust hub-spoke model tends to fail due to a range ofchallenges that include breaches of hub's electronic perimeters, insiderattacks, coercion from governments and organized crimes, and otherthreats to the hub. All indications are that any model that involvesconventional electronic security, and is based on a need to trust anycentral individual or organization to follow the rules, is deeplyflawed. This is demonstrated by the fact that even with improvements intechnologies for monitoring and protection, the rate of successfulintrusions and internal malfeasance is actually rising rapidly.

In present day enterprises, the custodian (typically the hub, theinfrastructure service operator/provider in physical possession of thesensitive data) and the curator (typically some spoke, the ITorganization that owes and authorizes access to this data) are withinthe same organization, and most likely within the same legal andcompliance domain. Authentication is typically implemented throughtechniques such as Kerberos and Open ID; authorization is typicallythrough infrastructure such as AD and Security Groups; access control isenforced by the various data containers that include databases, documentmanagement systems, and networked file systems. Organizations alsoleverage PKI and X.509v3 for identity through Smart Cards,SAML/WS-Trust/WS-Federation for single sign-on and federation ofauthorization. Various technologies and solutions exist for theorganization to implement its own Authentication and Authorization, andto federate beyond that organization with business partners and otherservice providers or service consumers.

When IT infrastructures such as data storage or containers are moved toa hosting service in the cloud, the role of the custodian and curator isseparated, where the cloud service provider that is hosting the data isnow the custodian of that data, while the curatorship continues toremain in the hands of functionaries within that organization. Forlegal, compliance and other business IP protection reasons,organizations can't afford the blind trust on the cloud serviceproviders, thus are disinclined to adopt these services, or they demandunlimited liability protection.

In order to solve this problem, the cloud needs to be constrained infunction to be only a policy enforcement service that is implementingthe exact policy specified by the customer organization and its curatorfunctionary. Furthermore, this new cloud architecture needs toseamlessly integrate, without any significant requirement to modify theexisting IT infrastructure, or the existing business process.

Typically for an individual, business or other organization that isregulated, it is an option for them to outsource their IT, but it is notan option for them to outsource their risk. In the case of negligence ormaleficence on the part of a service provider (hub), the risks to theindividual or organization could be significant. As a consequence,organizations and businesses require significant liability protectionfrom the service provider. This would transfer the risk to the hub,which could exacerbate that organization's own risk since it could besubject to negligence or maleficence on the part of their own employees,or coercion from governments, or intrusions by hackers.

In short, there is no solution existing today that can alloworganizations and individuals (curators) to extend the existing ITinfrastructures along with the business processes (such as Governance,Risk Management, and Compliance, GRC in short) to the cloud serviceproviders (custodians), across the trust boundaries while a) the dataprivacy and confidentiality are ensured—custodians can never see thesensitive data nor the policies about how the data can be accessed; b)the visibility into, and the control over access to, or modification ofthe data are fully retained by the curators; and c) multiple curatorsacross trust boundaries can collaborate and share the sensitive datathrough the custodians.

There is a need for systems, methods and apparatuses that address theabove-listed requirements in cloud computing, and provide a trustworthyworkflow across trust boundaries between parties.

A trustworthy workflow is defined as a cryptography-based mechanism thatenables all parties to securely communicate across trust boundariesthrough the central intermediary (the hub), without the hub ever beingable to access the data, nor the data access policies. All end-points insuch a workflow can count on the same degree of trustworthiness of apoint-to-point secure communications supported by protocols such asSSL/TSL and IPSec, as described before.

In addition, for a geo-distributed solution, there are technical,geo-political or legal reasons why a single trustworthy hub would not besufficient. The technical reasons might include performance; thegeo-political reasons might include governments that desire to suppresscollaboration or commerce for sovereign reasons; the legal reasons mightinclude the inefficiency of settlement, reconciliation, litigation andarbitrage across distinct legal boundaries. For that reason, it isnecessary to have a federation of trustworthy hubs in disparate regionsthat can collaborate to provide the same trustworthiness, but with agreater degree of resilience, lower latencies and higher scale.

It is desirable to have methods, systems and apparatuses for monitoringand controlling access to an electronic content.

SUMMARY

An embodiment includes a method of a mediator monitoring and controllingaccess to an electronic content. The method includes receiving, by amediator server of a mediator, a second share SK_(G2) from an ownerserver, wherein a first share SK_(G1) is provided to a member server ofa member of a group by the owner server, wherein the group is created bythe owner server generating a group public key PK_(G) and a group secretkey SK_(G), wherein the member is added by the owner server to the groupby generating the first share SK_(G1) from the group secret key SK_(G)and a public key of the member, and the second share SK_(G2) from thegroup secret key SK_(G) and a public key of the mediator, wherein a userpublishes an electronic content for the group, comprising the userencrypting the electronic content to the group public key PK_(G),wherein the electronic content includes a header and a payload, andwherein the member obtains the encrypted electronic content. The methodfurther includes the mediator receiving a request from the member formediation, comprising the mediator receiving a dispatch of the header ofthe encrypted electronic content, the mediator receiving a request, bythe member, for mediation, comprising the mediator receiving a dispatchof the header of the encrypted electronic content from the member,determining, by the mediator, whether the member is eligible to decryptthe electronic content, if eligible, the mediator responding to therequest for mediation with a member accessible header, wherein themember accessible header includes the header after application ofSK_(G2), wherein the member obtains a secret based on SK_(G1) and themember accessible header, and wherein the member decrypts the payload ofthe electronic content using the secret.

Other aspects and advantages of the described embodiments will becomeapparent from the following detailed description, taken in conjunctionwith the accompanying drawings, illustrating by way of example theprinciples of the described embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a system that provides for monitoring and control of accessto an electronic content, according to an embodiment.

FIG. 2 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment.

FIG. 3 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment.

FIG. 4 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment.

FIG. 5 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment.

FIG. 6 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment.

FIG. 7 is a flow chart that includes steps of a method for monitoringand control of access to an electronic content, according to anembodiment.

FIG. 8 is a flow chart that includes additional steps of a method formonitoring and control of access to an electronic content, according toan embodiment.

FIG. 9 shows a client connect agent according to an embodiment.

FIG. 10 shows a service connect agent according to an embodiment.

FIG. 11 shows a cloud connect service according to an embodiment.

DETAILED DESCRIPTION

The described embodiments include methods, systems and apparatuses forproviding for monitoring and control of access to an electronic content.

At least one benefit of the described embodiments includes the abilityfor individuals and organizations to leverage the benefits of clouds andother networks, which include lower costs, higher scale, andgeo-distribution, in order to maximize their own efficiencies that mightinclude lower capital and operational expenses.

There exist several collaboration and commerce networks that can benefitfrom the lower costs, scale and geo-distribution of clouds. Thesenetworks include supply and demand chains, and international trade. Inthe present day there is a precise support system that includes banks,escrow parties, shipping corporations, and mediation. However these donot scale for electronic commerce, when it is necessary for a human tobe a mandatory intermediary for any typical transaction (as opposed to ahuman needing to get involved in the case of an error or a conflict).

Due to the replacement of that the previously described “messy crossbar”with a trustworthy hub, it is now easier for diverse technologies andsolutions to integrate and inter-operate, since each spoke needs toperform a one-time integration with the trustworthy hub. In addition, itis possible for the hub to present a variety of interfaces to thespokes, and then perform the routing and inter-operation within the hub.In deployment scenarios with multiple hubs, each hub might implement aspecific class of technologies.

Whereas present-day distributed architectures are stilted due to theneed to protect data through the containers that they reside in, theenablement of visibility and control facilitates the caching ofelectronic content closer to the expected consumer, which optimizes thedata path, whereas the control path for key access and for metering iseasier to optimize for cloud scale. This provides the underpinning fornew architectures that enable higher-scale and greater efficiency,noting that the current corporate and Internet traffic is dominated byvideo and file sharing.

FIG. 1 shows a system that provides for monitoring and control of accessto an electronic content, according to an embodiment. As shown, thesystem includes an owner 110, a member 120, and a mediator 130. Anembodiment includes the formation of a group, wherein the group allowsfor the sharing and collaboration of a document, or more generally,electronic content. The group is formed by the owner 110. For anembodiment, formation of the group includes the owner 110 publishing agroup public key PK_(G), and generating and maintaining a group secretkey SK_(G) as a secret. The owner can store the group secret key SK_(G),for example, in its own data center.

Further, the member 120 and the mediator 130 each publish their ownpublic keys, and maintain corresponding secret keys as a secret. Themember 120 and the mediator 130 can each secure their secret key byprotecting the secret key through encryption before storing ortransmitting the secret key to a custodian. That key encryption key canbe derived from a pass phrase that only the principal (originator of thesecret key) knows.

Once the group has been formed, the owner 110 adds members (such asmember 120) by generating a first share SK_(G1) from the group secretkey SK_(G) and a public key of a member, and a second share SK_(G2) fromthe group secret key SK_(G) and a public key of a mediator. The owner110 adds the member to the group by obtaining the member's public keyfrom the mediator (or some other public source).

Once the group has been formed and the owner 110 has published the grouppublic key PK_(G), a publisher 140 can encrypt a document (moregenerally, electronic content) using the group public key PK_(G). For anembodiment, the user retrieves the group public key PK_(G) from acustodian (owner 110), wherein the custodian is operating in thedirectory role. For an embodiment, the document is encrypted accordingto a key K, and the key K is encrypted according to the group public keyPK_(G). For an embodiment, the document includes a payload and a header.

The member 120 can obtain the encrypted document in various ways. Thepublisher 140 may send the encrypted document to the member 120, themember 120 may retrieve the encrypted document, or there may be anintermediary, such as, Drop Box® between the publisher 140 and themember 120.

The member 120 receives the document, but cannot directly decrypt thedocument because the member 120 does not have access to the group secretkey SK_(G). However, at least some embodiments allow the member 120 todecrypt the document through the aid of the mediator 130. Morespecifically, for an embodiment, the member 120 request mediation by themediator 130 by submitting the header of the document to the mediator130. If the electronic content is small, the header may actually be thepayload of the electronic content. More typically, the payload is large,and the header only includes a cryptographic secret that can be used tounlock the payload.

In another embodiment, a user server publishes the actual payload to alocation that is resilient against inappropriate access or modification,or because the payload is too voluminous for transmission in the datapath, and publishing a capability for gaining access in lieu of thepayload, and the member server consequently requiring mediation in orderto access that capability for gaining access to the payload.

In certain situations where there is a pre-defined data path, such asdocument sharing through a solution such as Dropbox®, the encrypteddocument, and the associated metadata is best packaged as a single unitthat travels together. The original document that is encrypted is termedthe ‘payload’, and the header contains the cryptographic material andany associated document classifications and/or access policies.

In other situations where the digital content is too unwieldy to sharethrough a solution such as Dropbox®, either due to the size, or to thestreaming nature of access, it may be better to replace the payload withan address. In this situation, the header contains a capability thatconstitutes both a location that is otherwise difficult to guess, alongwith the cryptographic material for an authorized party to performcryptographic operations such as verification and decryption. In thiscase there might be other benefits, such as tamper prevention, sincelack of access to that capability would typically preclude accidental ormalicious defacement or deletion, where defacement renders that originalcontent inaccessible.

In other situations the payload itself might be very small, perhapsrepresenting an offer or a bid in a marketplace scenario, or some othersecret that needs to be securely stored or shared. In this case it mightbe optimal to embed this secret directly within the header. After asuccessful mediation operation, the secret becomes directly accessibleto the authorized recipient (such as, member 120) without the subsequentneed to unlock any payload.

Once the mediator 130 receives the request for mediation from the member120, the mediator 130 checks to confirm that the member 120 is eligiblefor decryption of the document. The eligibility of the member 120 can bedetermined in one or more ways.

One mechanism for determining member eligibility is for the mediator 130to maintain a white list, or a black list of eligible members. Typicallythe owner 110, or the delegate or auditor updates this list. In thiscase the member 120 is eligible if they are on the white list, or ifthey are not on the black list, or both.

Another mechanism for determining member eligibility is for the mediator130 to maintain a matrix of authorization, where one dimension of thematrix is the document classification, while the other dimension is theaccess requirements. The first might be transferred securely (andprivately in some cases) from the publisher 140, to the mediator 130through the header. The second might specify individuals (through awhite or black list), or it might specify specific roles that arequestor needs to be member of, which is sometimes described as RBAC,or Role Based Access Control. The second might also specify a claim thatthe member 120 needs to provide to prove they have legitimate access tothat document. This might be either an ancillary mechanism that is usedin addition to group membership usually signs this claim, or it might bein lieu of group membership (where any member with the right claim willhave access to that document). Some authority that the Mediator knows ofcan issue such a claim.

There are other mechanisms for the mediator 130 to determine eligibilityof a member 120, which involve integration with existing enterprise andfederation infrastructures. For example, in a policy-based network, themediator 130 may serve as an enforcement point (or Policy EnforcementPoint) that needs to check with one or more Policy Decision Pointsbefore it executes the mediation.

For an embodiment, the mediator 130 logs the requests by the member,eligibility determinations, and mediator responses. For an embodiment,the logging includes the mediator 130 storing the requests by themember, eligibility determinations, and mediator responses. Each ofthese can be logged at a server, wherein the server is accessible by theowner and others. For an embodiment, the logging includes the mediatordispatching alerts of the requests by the member, eligibilitydeterminations, and mediator responses to the owner and others.

Due to the trustworthy nature of the hub, it is an enabler of fine-grainlifecycle management of electronic content, perhaps in cases where itmight be a business record, and this facilitates the enforcement ofretention, disposition, hold, and other events of data that is owned byan individual or organization, but is outside their region of control.

Based on the configuration, the hub may either log access requests(either ones that failed due to lack of eligibility, or both). Theselogs may be made available to just the parties authorized by the groupowner, or their delegate or auditor. In other cases the logs may bedelivered in the form of alerts to the group owner, or their delegate orauditor, in cases where there is a need for rapid notification.

If the mediator 130 determines that the member 120 is eligible, themediator 130 responds to the request for mediation with a memberaccessible header, wherein the member accessible header includes theheader after application of SK_(G2).

Typically the logs and alerts from the hub are integrated withenterprise infrastructure that might range from Syslogd, to specializedmonitoring and discovery solutions, or possibly to high-scale logprocessing systems that might post-process these logs for purposes thatmight include filtering, classification, pattern or anomaly detection.In many cases, a cloud or similar network can provide an end-to-endservice that would significantly reduce any individual or organization'scapital and operational expenses.

For an embodiment, the member 120 obtains a secret based on SK_(G1) andthe member accessible header. Further, the member 120 decrypts thepayload of the electronic content using the secret. Through thecontrolled document (electronic content) access of the describedembodiments, the member 120 is able to decrypt the document only throughthe participation and control of the mediator, and the owner 110.

As shown, the mediator 130 is at least partially controlled by a cloudconnect service (CCS) 134, the member 120 and the publisher 140 are atleast partially controlled by a client connect agent (CCA) 114, and theowner 110 is at least partially controlled by a service connect agent(SCA) 132. The owner 110 operates within a trusted zone and the mediatoroperates within a partially trusted zone.

In some embodiments the CCS 134 centralizes roles that includeDirectory, Key Store, Mediator, Log Storage and Delivery, and others. Inother embodiments a separate party that includes the owner operator ortheir organization or delegate hosts the Mediator.

It is to be understood that the roles of each of the parties (owner 110,member 120, mediator 130, publisher 140) can be changed, and/or theparties can play multiple roles. That is, for example, the member 120can additionally play the role of owner. In some embodiments the groupowner 110 represents more than one individual, whereby access to thegroup secret key itself is mediated in a similar operation.

FIG. 1 provides trustworthy workflow between a publisher 140 and amember 120 of a group formed by an owner 110. For an embodiment, theowner 110 includes a custodian. For an embodiment, the mediator 130includes a curator. Each of the owner 110, the member 120, the mediator130 and the publisher 140 include servers, wherein each server includesat least one or more processors and memory.

FIG. 2 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment. FIG. 2shows that for an embodiment, the member 220 can also play the role ofan owner, and create a subordinate group that includes a subordinatemember 222. As previously described, each of the parties of the systemcan be multiple roles.

Similar to the group formation previously described, the owner 220 (alsoplaying the role of member as previously described) publishes a grouppublic key PK_(G2), and generating and maintaining a group secret keySK_(G2) as a secret. The owner can store the group secret key SK_(G2),for example, in its own data center.

The subordinate member 222 and a subordinate mediator 232 each publishtheir own public keys, and maintain corresponding secret keys as asecret. The subordinate member 222 and the subordinate mediator 232 caneach secure their secret key by protecting the secret key throughencryption before storing or transmitting the secret key to a custodian.That key encryption key can be derived from a pass phrase that only theprincipal (originator of the secret key) knows.

Once the group has been formed, the owner 220 adds members (such assub-ordinate member 222) by generating a first share SK_(G21) from thegroup secret key SK_(G2) and a public key of the sub-ordinate member222, and a second share SK_(G2) from the group secret key SK_(G2) and apublic key of a sub-ordinate mediator 232. The owner 220 adds thesub-ordinate member to the group by obtaining the sub-ordinate member'spublic from the sub-ordinate mediator 232 (or some other public source).

Once the group has been formed and the owner 220 has published the grouppublic key PK_(G21), the publisher 140 (note that this can be anentirely different publisher than previously described) can encrypt adocument (more generally, electronic content) using the group public keyPK_(G21). For an embodiment, the sub-ordinate user 222 retrieves thegroup public key PK_(G2) from the owner 220, wherein the owner 220 isoperating in the directory role. For an embodiment, the document isencrypted according to a key K, and the key K is encrypted according tothe group public key P_(KG21). For an embodiment, the document includesa payload and a header.

The subordinate member 222 can obtain the encrypted document in variousways. The publisher 140 may send the encrypted document to thesubordinate member 222, the subordinate member 222 may retrieve theencrypted document, or there may be an intermediary, such as, drop boxbetween the publisher 140 and the subordinate member 222.

The subordinate sub-ordinate member 222 receives the document, butcannot directly decrypt the document because the sub-ordinate member 222does not have access to the group secret key SK_(G21). However, at leastsome embodiments allow the sub-ordinate member 222 to decrypt thedocument through the aid of the sub-ordinate mediator 232. Morespecifically, for an embodiment, the sub-ordinate member 222 requestmediation by the sub-ordinate mediator 232 by submitting the header ofthe document to the sub-ordinate mediator 232. If the electronic contentis small, the header may actually be the payload of the electroniccontent. More typically, the payload is large, and the header onlyincludes a cryptographic secret that can be used to unlock the payload.

Once the sub-ordinate mediator 232 receives the request for mediationfrom the sub-ordinate member 222, the sub-ordinate mediator 232 checksto confirm that the sub-ordinate member 222 is eligible for decryptionof the document. The eligibility of the sub-ordinate member 222 can bedetermined in one more ways.

For an embodiment, the sub-ordinate mediator 232 logs the requests bythe member, eligibility determinations, and mediator responses. For anembodiment, the logging includes the sub-ordinate mediator 232 storingthe requests by the member, eligibility determinations, and mediatorresponses. Each of these can be logged at a server, wherein the serveris accessible by the owner and others. For an embodiment, the loggingincludes the mediator dispatching alerts of the requests by the member,eligibility determinations, and mediator responses to the owner andothers.

If the sub-ordinate mediator 232 determines that the sub-ordinate member222 is eligible, the sub-ordinate mediator 232 responds to the requestfor mediation with a member accessible header, wherein the memberaccessible header includes the header after application of SK_(G21).

For an embodiment, the sub-ordinate member 222 obtains a secret based onSK_(G11) and the member accessible header. Further, the sub-ordinatemember 222 decrypts the payload of the electronic content using thesecret. Through the controlled document (electronic content) access ofthe described embodiments, the sub-ordinate member 222 is able todecrypt the document only through the participation and control of themediator, and the owner 220.

FIG. 3 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment. Thisembodiment includes the addition of a second member 320. Similar to theembodiments previously described, the owner 110 can add the secondmember 320 by generating a first share SK_(G1)′ from the group secretkey SK_(G) and a public key of the second member, and a second shareSK_(G2)′ from the group secret key SK_(G) and the public key of themediator (here, a second mediator 330 is shown, but the mediator canalternatively be the prior mediator 130). Further, the owner 110provides the first share SK_(G1)′ to the second member 320 and thesecond share SK_(G2)′ to the mediator 330, wherein the second shareSK_(G2) is different than the second share SK_(G2)′.

For at least some embodiments, there are multiple mediators for eitherbusiness reasons, such as separation of responsibilities, or forcompliance reasons where certain categories of mediation are performedby a compliant entity, or for federal or government reasons where someof the mediation is deemed to be more sensitive. In addition topartitioning of mediators in this manner, it might be desired to have alevel of redundancy and scale by duplicating the functionality of amediator across multiple instances.

FIG. 4 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment. Thisembodiment includes water mark and policy controls of the publisher. Aspreviously described, the publisher 140 provides a document (moregenerally, electronic content) to the member 120 that includes a headera payload. As previously described, for an embodiment, if the electroniccontent is small, the header may actually be the payload of theelectronic content. For another embodiment, the payload is large, andthe header only includes a cryptographic secret that can be used tounlock the payload. For an embodiment, the payload includes a pointer towhere the electronic content is located (stored). Again, the header mayinclude a cryptographic secret that can be used to unlock the payload(pointer).

The publish 140 can maintain some control by embedding, for example, anopaque watermark in the header, and logging (at, for example, a loggingserver 490), by a mediator 430, the header when received by the mediator430 from the member, 120 thereby allowing the publisher 140 to track theelectronic content. For at least some embodiments, the watermark isselectively translucent to other parties, perhaps log processingservices, that might be able to detect patterns and anomalies, but in amanner that minimizes compromise of sensitive content. As shown in FIG.4, the header may include a key/locator that is necessary for theintended recipient to obtain access to the sensitive payload. For atleast some embodiments, the received document is a composite of a headerand a payload, and the secret is the decryption key that is madeavailable subsequent to mediation. In addition, for at least someembodiments, the secret might is augmented with a verification key forensuring that the payload has not been tampered with in transit orstorage. In cases where this payload is absent, perhaps for reasons ofefficiency or enhanced security, the secret might also consist of alocator, such as a Uniform Resource Identifier, along with a decryptionkey. The intended recipient only knows of the real location of thepayload that is a candidate for decryption after a successful mediation.

Another embodiment includes the publisher 140 inserting, an electroniccontent specific policy in the header (as shown in FIG. 4 as a policyfor mediator 430), wherein only the mediator 430 can decrypt the policy,and wherein the electronic content specific policy provides additionalinstructions regarding eligibility of the member. For an embodiment, thepolicy directs the mediator to request mediation from a higher mediatorauthority. In at least some embodiments, the policy is not visible tothe members, but is made available to the mediator 430. In otherembodiments, the policy that is visible to the mediator 430 consists ofsubsequent instructions, such as the need to consult with a policydecision point, where those instructions to that policy decision pointmay not necessarily be visible to the mediator 430.

For an embodiment, the header optionally contains visible informationfor intermediaries to perform cryptographic operations that mightinclude checking for integrity of the encrypted payload, or establishingnon-repudiation or data provenance. For an embodiment, the memberaccessible header optionally contains information for performingcryptographic operations that might include checking for integrity ofthe encrypted or decrypted payload, or establishing non-repudiation ordata provenance.

FIG. 5 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment. Thisembodiment includes a first owner 510 and a second owner 512. As shown,the first owner 510 provides a first policy and the second owner 512provides a second policy. This embodiment provides for extension tomultiple owners (curators) and provides federation of the curators,wherein each owner (curator) is responsible for their own sets ofcontent. While two owners are shown, the described embodiments are notlimited to two owners.

Typically in a scenario that involves collaboration or commerce, thereare diverse, perhaps mutually distrustful participants that need tomanage their own access policies that might include management of whiteor black lists, and perhaps ratings of buyers, sellers or otherparticipants. These scenarios are “federated” and can consist of morethan one owners might either have exclusive control over theirrespective sets of documents that they are the resource providers of, orit may be the case that they may have to co-operate through some policyto be able to update or modify the mediation policy.

FIG. 6 shows another system that provides for monitoring and control ofaccess to an electronic content, according to an embodiment. Thisembodiment includes a first mediator 630 and a second mediator 632. Formediation, each of the mediators 630, 632 weigh in. While two mediatorsare shown, the described embodiments are not limited to two mediators.

The described embodiments enable the high-scale enablement of existingnetworks such as International Trade, where multiple mediators, asdescribed below, might represent the banks that represent buyers andsellers, and the eligibility for access to electronic goods, or to thepayment, is gated by the need for a successful mediation by theappropriate mediator, which is likely to have up-to-date informationabout the transaction in question.

There are other federation scenarios where the participants may not bewilling or able to agree upon a single mediator. This might be forglobal commerce, where the physical location of a mediator might make itsubject to disruption or coercion by local powers. In such a situation,at least some embodiment include more than one mediator that is isolatedwithin distinct physical or electronic boundaries that limits physicalor electronic access, and the successful mediation requires allmediators to execute a mediation operation. It is possible to have moreexpressive circuits, such as thresholds, where perhaps a specifiedmajority of mediators needs to execute their part in the mediation,before the intended recipient gets access to the payload.

FIG. 7 is a flow chart that includes steps of a method for monitoringand control of access to an electronic content, according to anembodiment. A first step 710 includes creating, by an owner server, agroup comprising generating a group public key PK_(G) and a group secretkey SK_(G). A second step 720 includes adding, by the owner server, amember to the group, comprising generating a first share SK_(G1) fromthe group secret key SK_(G) and a public key of a member, and a secondshare SK_(G2) from the group secret key SK_(G) and a public key of amediator. A third step 730 includes providing, by the owner server, thefirst share SK_(G1) to a member server of the member and the secondshares SK_(G2) to a mediator server of the mediator.

FIG. 8 is a flow chart that includes additional steps of a method formonitoring and control of access to an electronic content, according toan embodiment. A first step 840 includes a user publishing an electroniccontent for the group, comprising the user encrypting the electroniccontent to the group public key PK_(G), wherein the electronic contentincludes a header and a payload. A second step 850 includes obtaining,by the member, the encrypted electronic content. A third step 860includes requesting, by the member, mediation by the mediator,comprising the member dispatching the header of the encrypted electroniccontent to the mediator. A fourth step 870 includes determining, by themediator, whether the member is eligible to decrypt the electroniccontent, if eligible, the mediator responding to the request formediation with a member accessible header, wherein the member accessibleheader includes the header after application of SK_(G2). A fifth step880 includes obtaining, by the member, a secret based on SK_(G1) and themember accessible header. A sixth step 890 includes decrypting, by themember, the payload of the electronic content using the secret.

As previously described, an embodiment includes the mediator loggingrequests by the member, eligibility determinations, and mediatorresponses. Specifically, for an embodiment, the logging includes themediator storing the requests by the member, eligibility determinations,and mediator responses at a server, wherein the server is accessible bythe owner and others. For another embodiment, the logging includes themediator dispatching alerts of the requests by the member, eligibilitydeterminations, and mediator responses to the owner and others.

As previously described, for an embodiment determining whether themember is eligible includes the mediator being notified by the ownerprior to the mediation request. For another embodiment determiningwhether the member is eligible comprises the mediator being notified bythe owner or another authority prior to the mediation request that themember's public key in invalid.

As previously described, for an embodiment, if the payload is greaterthan a threshold in size, the header includes a secret needed to decryptthe payload. If the payload is less than the threshold in size, theheader is the payload.

As previously described, an embodiment further includes the memberacting in an owner capacity, and creating a subordinate group. For anembodiment, this includes creating, by the member, a subordinate groupcomprising generating a subordinate group public key PK_(G) and asubordinate group secret key SK_(G), adding, by the member, asubordinate member to the subordinate group, including generating afirst share SK_(G11) from the subordinate group secret key SK_(G) and apublic key of a subordinate member, and a second share SK_(G21) from thesubordinate group secret key SK_(G) and a public key of a subordinatemediator, and providing the member the first share SK_(G11) to asubordinate member server of the subordinate member and the secondshares SK_(G21) to a subordinate mediator server of the subordinatemediator.

As previously described, an embodiment includes adding, by the ownerserver, a second member to the group, comprising generating a firstshare SK2 _(G1) from the group secret key SK_(G) and a public key of thesecond member, and a second share SK_(G2)′ from the group secret keySK_(G) and the public key of the mediator, and providing, by the ownerserver, the first share SK_(G1)′ to a second member server of the secondmember and the second share SK_(G2)′ to the mediator server of themediator, wherein the second share SK_(G2) is different than the secondshare SK_(G2)′.

As previously described, an embodiment further includes embedding, bythe publisher, an opaque watermark in the header, and logging, by themediator, the header when received by the mediator from the member,thereby allowing the publisher to track the electronic content.

As previously described, an embodiment further includes inserting, bythe publisher, an electronic content specific policy in the header,wherein only the mediator can decrypt the policy, and wherein theelectronic content specific policy provides additional instructionsregarding eligibility of the member. For an embodiment, the policydirects the mediator to request mediation from a higher mediatorauthority.

FIG. 9 shows an embodiment of the client connect agent (CCA) accordingto an embodiment. As previously described and shown in FIGS. 1, 2, 3 and4, the member 120 and the publisher 140 have access to the clientconnect agent (CCA) 114. As described, an embodiment of CCA can be anindependent software application program running in the member 120 orthe publisher's 140 computing device, such as desktop, laptop, mobiledevice, etc. Another embodiment of CCA is operable to run within a webbrowser.

As shown, this embodiment includes at least the following modules anAdministrative Module 501, a Service Enrollment Module 502, a DataTransport Module 503, a Key Store and Directory Module 504, a CryptoEngine Module 505, and a CCS Interface Module 506.

For an embodiment, the Administrative Module 501 performs variousconfiguration and administrative tasks to configure the local CCA, tomanage users and groups within the CCA control, to interface with humanusers through a command line interface (CLI) or a UI interface (UI), tointerface with other programs through an application programminginterface (API), to update CCA software from the connected CCS, and tosend event logs to CCS via CCS Interface Module 506.

For an embodiment, the Service Enrollment Module 502 performs enrollmenttasks with a realm that is represented by one or more curators. TheService Enrollment Module 502 also manages the password and the loginprocess with the connected CCS, among others.

For an embodiment, the Data Transport Module 503 is responsible for dataupload and download. The data can be uploaded from the compute devicewhere the CCA operates and to any data repository in the cloud throughany data transfer protocol such as email, HTTP, FTP, etc. or physicaldata storage media such as floppy disc, CD ROM, DVD ROM, USB Drive,etc., and vice versa.

For an embodiment, the Key Store and Directory Module 504 stores localuser's secrets (such as the private/secret keys,) that are encrypted andcopies of various certificates that can be used for local CCA cacheaccess and offline operations.

For an embodiment, the Crypto Engine Module 505 performs variousencryption/decryption, signing, and key generation functions.

For an embodiment, the CCS Interface Module 506 performs securecommunications with CCS. For at least some embodiments, the CCSInterface Module 506 includes a RESTful interface Adapter—CRUD calls fordata and control communications between SCA and CCS, aWebSockets—Receive Callbacks from CCS, and a DNS Resolver—fast path forquerying the CCS for directory (certificates) lookup and requesting forMediation operations.

As shown, the owner 110 as shown in FIGS. 1, 2, 3 and 4 is at leastpartially controlled by a server connect agent (SCA) 142. For anembodiment, the SCA 142 includes a software appliance that can bepackaged as, but not limited by, a piece of executable program in abinary form, a virtual machine, or a dedicated server. For at least someembodiments, the software appliance runs within a curator's firewall.Depicted in FIG. 10, the embodiments of the SCA 142 includes anAdministrative Module 601, a Realm Management Module 602, a DataTransport Module 603, a Key Store and Directory Module 604, a CryptoEngine Module 605, a CCS Interface Module 606, a GRC Portal Module 607,an a Policy Adaptor Module 608.

For at least some embodiments, the Administrative Module 601 performsvarious configuration and administrative tasks to configure the localSCA, to manage users and groups within the SCA control, to interfacewith human users through a command line interface (CLI) or a UIinterface (UI), to interface with other programs through an applicationprogramming interface (API), to update SCA software from the connectedCCS, and to send event logs to CCS via CCS Interface Module 506.

For at least some embodiments, the Realm Management Module 602 isresponsible for creating and managing a realm. the Realm ManagementModule 602 performs tasks to invite or permit parties that are partiallycontrolled by CCAs to join the realm. It is also capable of revoking arealm membership. For an embodiment, a realm is one or more curatorsthat are controlled by one SCA. Parties participating in the trustworthyworkflow must be enrolled in at least one realm.

For at least some embodiments, the Data Transport Module 603 isresponsible for data upload and download. The data can be uploaded fromany data source within the one or more curators controlled by the SCAand to any data repository in the cloud through any data transferprotocol such as email, HTTP, FTP, etc. or physical data storage mediasuch as floppy disc, CD ROM, DVD ROM, USB Drive, etc., and vice versa.One source of data can be content containers controlled by Microsoft©SharePoint software.

For at least some embodiments, the Key Store and Directory Module 604stores the realm user's secrets (such as their private/secret keys,)that are encrypted and copies of various certificates that can be usedfor the SCA cache access and offline operations.

For at least some embodiments, the Crypto Engine Module 605 performsvarious encryption/decryption, signing, and key generation functions.

For at least some embodiments, the CCS Interface Module 606 performssecure communications with CCS. At least some embodiments of the CCSInterface Module 606 include a RESTful interface Adapter—CRUD calls fordata and control communications between the SCA and CCS, aWebSockets—Receive Callbacks from CCS, and a DNS Resolver—fast path forquerying the CCS for directory (certificates) lookup and requesting forMediation operations.

For at least some embodiments, the GRC Portal Module 607 is responsiblefor configuring logs, alerts and reports for the realm, querying, andreceiving from, CCS for logs, alerts and reports, searching and indexinglogs, and caching logs locally, and presenting the log information.

For at least some embodiments, the Policy Adaptor Module 608 providesintegration interfaces with the existing data and identity managementinfrastructures in the one or more curators controlled by the SCA. Forat least some embodiments, the interfaces include support for protocolsand services such as, an Active Directory (AD), an Active DirectoryFederation Services (ADFS), a Certificate Authority (CA), a SecurityAssertion Markup Language (SAML), an Online Certificate Status Protocol(OCSP), and/or Proxy Services.

As shown in FIGS. 1, 2, 3 and 4, the mediator 130 at least partiallycontrolled by a cloud connect service (CCS) 134. For at least someembodiments, the CCS 134 is a collection of software running as Softwareas a Service (SaaS) in the cloud, hosted by one or multipleInfrastructure as a Service (IaaS) providers. It is a high-scale,always-on, possibly geo-distributed policy enforcement point, which canfacilitate complex, possibly cross-continental collaboration andcommerce. The CCS 134 is termed “Trustworthy”, meaning that it cannotaccess any data or policy in the clear or cheat because it is preventedfrom doing so by cryptography based technologies. Without such acapability it would be technologically complex to monitor and enforceCCS 134 behavior, if at all that were to be possible.

As illustrated in FIG. 11, at least some embodiments of the CCS 134include an OSS/BSS Module 701, a Data Store Module 720, a ServiceDelivery Module 730, a Crypto Engine Module 704, and a CCS/SCA InterfaceModule 705.

For at least some embodiments, the OSS/BSS Module 701 performsoperations including provisioning, metering, billing, syndication,federations, and other external service interfaces. An embodiment of theOSS/BSS Module 701 provides customer support and trouble shooting.

For at least some embodiments, the Data Store Module 720 at leastpartially includes one or more of a DirFed Table 721, SecureFed Table722, a MapFed Table 723, a Policy Lookup Table 724, a Revocation LookupTable 725, and a Logs and Archives 726. For an embodiment, the DirFedTable 721 is a directory for user and group identities, certificates,policies and other artifacts, which are typically represented by thecorresponding entity's public keys. For at least some embodiments, theSecureFed Table 722 stores encrypted secrets. For an embodiment, theCCS, nor any custodian, is able to decrypt any entry in this table. Forat least some embodiments, the MapFed Table 723 stores, among others,Group membership records, represented, at least partially, throughsigned Mediation Keys, and Realm roles including attestations andsignatures from the realm SCAs. For an embodiment, the Policy LookupTable 724 provides rapid lookup for multi-hop re-encryption key chains.For an embodiment, the Revocation Lookup Table 725 provides rapid lookupfor revocation lists. For an embodiment, the Logs and Archives 726 keepsactivities logs and events. It also archives for policies andactivities, as well as data.

For at least some embodiments, for each sub-module 721-726, the ServiceDelivery Module 730 includes at least a corresponding services deliveredto CCAs and SCAs. For an embodiment, services 731-736 of the ServiceDelivery Module 730 may interact with multiple sub modules 721-726. Foran embodiment, an Identity and Role Update Service 731 receives identityand role update requests from SCAs and CCAs and updates thecorresponding DirFed 721 entries. For an embodiment, a Credential VaultService 732 uploads and downloads the encrypted data, encrypted keys andencrypted policies upon requests from CCAs and SCAs, and updates entriesin SecureFed 722 and Logs and Archives 726. For an embodiment, aMediation Service 733 receives Mediation Keys and Mediation operationrequests from SCAs and CCAs, and performs the requested operations. Itupdates and reads entries in MapFed 723. It may also interact withPolicy Lookup Table 724 and Revocation Lookup Table 725 to validateidentities and authorizations. For an embodiment, a Policy UpdateService 734 updates groups and group memberships in DirFed 721, uponrequests from SCAs, among other tasks. For an embodiment, a RevocationUpdate Service 735 receives identity and role revocation requests from,primarily, SCAs and updates entries in MapFed 723 and Revocation LookupTable 725. Among other sources, such requests may originate from the CAand OCSP interfaces in Policy Adaptor Module 608. For an embodiment, aLogs/Alerts and Archives Service 736 receives event logs from SCAs andCCAs and responds to SCAs (GRC Portal Module 607) requests

The interaction methods between CCSs, SCAs and CCAs through abovedescribed modules and the combined system effects towards providing thetrustworthy workflow across trust boundaries will become more apparentfrom the Operative Steps description as follows.

Although specific embodiments have been described and illustrated, theembodiments are not to be limited to the specific forms or arrangementsof parts so described and illustrated.

1. A method of a mediator monitoring and controlling access to an electronic content, comprising: receiving, by a mediator server of a mediator, a second share SK_(G2) from an owner server, wherein a first share SK_(G1) is provided to a member server of a member of a group by the owner server; wherein the group is created by the owner server generating a group public key PK_(G) and a group secret key SK_(G); wherein the member is added by the owner server to the group by generating the first share SK_(G1) from the group secret key SK_(G) and a public key of the member, and the second share SK_(G2) from the group secret key SK_(G) and a public key of the mediator; wherein a user publishes an electronic content for the group, comprising the user encrypting the electronic content to the group public key PK_(G), wherein the electronic content includes a header and a payload; and wherein the member obtains the encrypted electronic content; further comprising; the mediator receiving a request, by the member, for mediation, comprising the mediator receiving a dispatch of the header of the encrypted electronic content from the member; determining, by the mediator, whether the member is eligible to decrypt the electronic content, if eligible, the mediator responding to the request for mediation with a member accessible header, wherein the member accessible header includes the header after application of SK_(G2); wherein the member obtains a secret based on SK_(G1) and the member accessible header; and wherein the member decrypts the payload of the electronic content using the secret.
 2. The method of claim 1, further comprising the mediator logging requests by the member, eligibility determinations, and mediator responses.
 3. The method of claim 2, wherein logging comprises the mediator storing the requests by the member, eligibility determinations, and mediator responses at a server, wherein the server is accessible by the owner and others.
 4. The method of claim 2, wherein logging comprises the mediator dispatching alerts of the requests by the member, eligibility determinations, and mediator responses to the owner and others.
 5. The method of claim 1, wherein determining whether the member is eligible comprises the mediator being notified by the owner prior to the mediation request.
 6. The method of claim 1, wherein determining whether the member is eligible comprises the mediator being notified by the owner or another authority prior to the mediation request that the member's public key in invalid.
 7. The method of claim 1, wherein if the payload is greater than a threshold in size, the header includes a secret needed to decrypt the payload.
 8. The method of claim 1, wherein if the payload is less than a threshold in size, the header is the payload.
 9. The method of claim 1, wherein the mediator, the publisher and the member publish public keys and secure corresponding secret keys.
 10. The method of claim 1, wherein an opaque watermark in the header is embedded by the publisher, and further comprising: logging, by the mediator, the header when received by the mediator from the member, thereby allowing the publisher to track the electronic content.
 11. The method of claim 1, wherein the publisher inserts an electronic content specific policy in the header, wherein only the mediator can decrypt the policy, and wherein the electronic content specific policy provides additional instructions regarding eligibility of the member.
 12. The method of claim 11, wherein the policy directs the mediator to request mediation from a higher mediator authority.
 13. A mediator server operative to monitor and control access to an electronic content, comprising a mediator of the mediator server operative to: receive a second shares SK_(G2) from an owner server, wherein a first share SK_(G1) is provided to a member server of a member by the owner server; wherein a group is created by the owner server comprising generating a group public key PK_(G) and a group secret key SK_(G); wherein the member is added by the owner server to the group by generating the first share SK_(G1) from the group secret key SK_(G) and a public key of the member, and the second share SK_(G2) from the group secret key SK_(G) and a public key of the mediator; wherein a user publishes an electronic content for the group, comprising the user encrypting the electronic content to the group public key PK_(G), wherein the electronic content includes a header and a payload; and wherein the member obtains the encrypted electronic content; the mediator of the mediator server further operative to: receive a request, by the member, for mediation, comprising the mediator receiving a dispatch of the header of the encrypted electronic content from the member; determine whether the member is eligible to decrypt the electronic content, if eligible, the mediator responding to the request for mediation with a member accessible header, wherein the member accessible header includes the header after application of SK_(G2); wherein the member obtains a secret based on SK_(G1) and the member accessible header; and wherein the member decrypts the payload of the electronic content using the secret.
 14. The mediator server of claim 13, wherein the mediator is further operative to log requests by the member, eligibility determinations, and mediator responses.
 15. The mediator server of claim 14, wherein logging comprises the mediator storing the requests by the member, eligibility determinations, and mediator responses at a server, wherein the server is accessible by the owner and others.
 16. The mediator server of claim 14, wherein logging comprises the mediator dispatching alerts of the requests by the member, eligibility determinations, and mediator responses to the owner and others.
 17. The mediator server of claim 13, wherein the mediator is further operative determine whether the member is eligible comprises the mediator being notified by the owner prior to the mediation request.
 18. The mediator server of claim 13, wherein determining whether the member is eligible comprises the mediator being notified by the owner or another authority prior to the mediation request that the member's public key in invalid.
 19. The mediator server of claim 13, wherein if the payload is greater than a threshold in size, the header includes a secret needed to decrypt the payload.
 20. The mediator server of claim 13, wherein if the payload is less than a threshold in size, the header is the payload. 